How Hackers Could Crash a Cellular Network

Security researchers in Greece claim that mobile-phone networks can be disabled by hackers. Using a technique analogous to distributed denial-of-service (DDoS) attacks on websites, the researchers say, it would be possible to overwhelm a cellular network and shut it down.

Christos Xenakis, an assistant professor at the University of Piraeus near Athens, and Christoforos Ntantogian, a research assistant at the University of Piraeus, came up with their method, which has not been tested on a large scale, after probing weaknesses in cellular networks. They published their results in a recent issue of the journal Computers & Security.

The cellular DDoS attack would involve cloning identification information from cellphone SIM cards onto duplicate SIM cards in hundreds or thousands of cellphones, and then making multiple roaming calls from widely separated locations from handsets that appear, at least to cell towers, to be the same phones.

The attack would amplify the effort it takes to authenticate a roaming call by deliberately confusing the network with a number that appears to be in hundreds of places at once.

The total cost, Xenakis and Ntantogian said, could be only a few thousand dollars.

Send in the clones

SIM cards have been cloned before. It's an old trick that criminals used in the 1990s to make calls and bill them to someone else. Phone carriers got wise to that and made it harder to do, but it still happens.

Xenakis and Ntantogian's attack is a bit different from regular SIM cloning because it doesn't require that all the information on a SIM card be copied, but just enough information to convince cellular-network software that it should try to authenticate the SIM card.

To prepare for the attack, a hacker would require a device that can "harvest" the International Mobile Subscriber Identity, or IMSI, numbers of a lot of cellphone SIM cards.

Xenakis said it would be possible to build, using commercially available hardware, a kind of fake cell tower that could harvest the IMSIs from every handset that passes nearby. Each harvested IMSI could then be duplicated onto tens or hundreds of blank SIM cards.

A cellular network's choke point

Authentication of a roaming cellphone takes time, because the host network has to check with a handset's home network to verify that a particular phone is legitimate.

When a cellphone roams out of its home network, every call it makes is handled by the nearest compatible cell tower. The tower queries a home location register (HLR), a central database that contains details of each mobile phone subscriber authorized to use the tower's local network.

If a phone's ID is not listed in the database, the local HLR contacts the HLR of the handset's home network and asks whether the phone is legitimate and authorized. If the user has paid for or enabled roaming service, the answer is yes. The call is then connected.

However, this verification process takes time — a few seconds, on average. Even if the verification request fails and the call isn't connected, the HLR-to-HLR communication and resulting transfer of data eat up computing resources.

Ordinarily, this system load would not be a problem. But too many requests to a local cellular network can overwhelm it.

That's what happened in the New York City area during the terrorist attacks of Sept. 11, 2001. Cellular networks that routinely handled hundreds of thousands of calls daily were unable to cope with the massive volume of simultaneous calls into and out of the area, and many people trying to reach their loved ones found they couldn't connect.

Throttling the network

Xenakis and Ntantogian's attack would essentially replicate that massive system load, but the calls wouldn’t even need to be connected — all the attack would need to do is tie up an HLR's time with bogus roaming-call verification requests.

"The home network trusts the roaming networks," Xenakis said. "The [roaming] network can't check whether you are a legal subscriber or not."

With multiple copies of SIM cards with identical IMSIs trying to verify themselves at once, neither the roaming nor the home networks' HLRs would know which phone was the legitimate one. That would eat up system resources, because it's not something cellular-network software would expect to see.

Amplify that by hundreds or thousands of bogus handsets trying to make voice calls at the same time, and the verification effort could flood the home network's servers and cause it to refuse calls from — in other words, deny service to — legitimate users.

Too hard, or too expensive, to pull off?

This kind of attack would be well beyond the reach of a weekend hacker, and some security researchers think it might not be a real-world threat at all.

Douglas DePerry, a researcher at Leaf Security Research in Red Bank, N.J., said there would be no way for anyone to make money from such an attack. While it might cause a carrier a loss of revenue, he said, it wouldn't necessarily attract cybercriminals.

Karsten Nohl, an expert on cellular-network security at Security Research Labs in Berlin, said another obstacle would be the expense and effort required to clone a huge number of SIM cards.

"The presented attack will require building thousands of devices and deploying them to hundreds of locations in dozens of countries," Nohl wrote in an email message, adding that the attack could cost hundreds of thousands of dollars.

Nohl also was skeptical that an HLR could be so easily fooled and forced to slow down. HLRs, Nohl noted, routinely balance the call loads they face every day.

Cell towers in the crosshairs

Mike Tassey, a security consultant based in the Washington, D.C., area who demonstrated a cell tower-spoofing drone at the Black Hat security conference in Las Vegas in 2011, said it wasn't the specifics of Xenakis and Ntantogian's attack that made it interesting, but the type of attack it was.

Cellular networks, Tassey said, are relatively new targets for hackers.

"For lots of years, cellphones were a black box," Tassey said "There wasn't a way to peek under the covers, and the research was the realm for people with hundreds of thousands [of dollars] to mess with."

There are many pieces to the attack. It might be hard to make lots of calls from many places, Tassey noted, and it would require a lot of organization.

In that sense, the theoretical attack could resemble DDoS attacks by the hacktivist movement Anonymous in which hundreds of volunteers simultaneously pointed server-load-testing software at a single target and "fired" as part of a large group.

Hundreds of volunteers could fan out across a region, each in a different cell tower's local range, and all try to make calls from what appeared to be the same number at once.

It would also be possible, in theory, to launch such attacks remotely through malware, without the owners of the hijacked phones being aware of it — but that kind of malware hasn't been written yet.

Xenakis and Ntantogian's attack might open up new avenues of research for cellular network security, Tassey said.

"One of the things this line of thinking brings up is malware that can sniff interactions between the SIM and the network and relay it to a database," he said.